Security is hard. You’re busy writing code, but you also want to keep your application secure, so you’re doing double-duty developing new features and keeping an eye on vulnerabilities. You follow Hacker News and Reddit, but you know any good security strategy revolves around defense in depth, and you’re looking to add additional, automated tiers to help keep an eye on security for you. Fortunately, Ruby has some great tools to help you out.
bundler-audit is one such tool. It provides patch-level verification of your Gemfile, auditing your gems for security vulnerabilities so you don’t have to. It easily integrates into your continuous integration workflow, letting you focus on building software and trust that your build will fail when something needs attention. We use it every day, and couldn’t imagine maintaining a complex software application’s dependencies without it.
When CVE-2015-3900 was announced, we found ourselves looking for a similar tool to audit Ruby and RubyGems. To our surprise, we couldn’t find one. So we built it.
RubyAudit was written to complement bundler-audit, providing complete coverage for your Ruby stack. It behaves like bundler-audit, and integrates in the same way. For example, from our
script: - ruby-audit - bundle-audit - rake
Now when an advisory is released, our build fails. We can immediately assign someone to work on upgrading our version of Ruby or RubyGems, ensuring a prompt response. In the meantime, we can get our build passing again by telling RubyAudit to ignore the advisory:
script: - ruby-audit -i CVE-2015-7551 - bundle-audit - rake
This provides an automated tier that reinforces our other approaches to security, helping us stay on top of security advisories.
As with many open-source projects, we do great things by building on top of those that came before. RubyAudit would not exist without the hard work of the rubysec team, specifically bundler-audit and ruby-advisory-db.